This listing of claims will replace all prior versions, and listings, of claims in the application: 



LISTING OF THE CLAIMS: 

1-2. (Canceled) 

3. (Currently Amended) A method for detecting an attack on a data processing system installed 
on a kernel layer, the method comprising, in the data processing system installed on the kernel 
layer: 

providin g, at the kernel layer, an initial secret; 

bindin g, at the kernel layer, the initial secret to data indicative of an initial state of the 
system, which is installed on the kernel layer between a hardware layer and an operating system 
layer, via a collision resistant cryptographic function; 

recordin g, at the kernel layer, state changing administrative actions performed on the 
system in a log, the state changing administrative actions comprising one or more of: an 
installation of kernel modules and an alternation of system run-level codes; 

prior to performing each state changing administrative action, at the kernel layer, 
generatinga new secret by performing the collision resistant cryptographic function on a 
combination of data indicative of the administrative action and the previous secret, asd-erasing 
the previous secre t, and recording the new secret in a place of the previous secret ; 

evolvin g, at the kernel layer, t he initial secret based on the log to produce an evolved 

secret; 

comparin g, at the kernel layer, the evolved secret with the new secret; 

determinin g, at the kernel layer, t hat the system is uncorrupted if the comparison 
indicates a match between the evolved secret and the new secret; and 

determinin g, at the kernel layer, t hat the system is corrupted if the comparison indicates a 
mismatch between the evolved secret and the new secret, 

wherein the cryptographic function comprises a one-way hash function and the hash 
function comprises an exponentiation function. 



4. (Previously Presented) The method as claimed in claim 3, wherein the cryptographic function 
comprises a public/private key pair. 

5. (Previously Presented) The method as claimed in claim 3, further comprising: 

receiving the initial secret from a system administrator. 

6-7. (Canceled) 

8. (Currently Amended) A data processing system, which is installed on a kernel layer, 
comprising: 

a processor; 

a memory connected to the processor; and 

detection logic connected to the processor and the memory, the detection logic, in use: 
providin g, at the kernel layer, an initial secret; 

binding , at the kerne l l ayer, t he initial secret to data indicative of an initial state of 
the system, which is installed on the kernel layer between a hardware layer and an 
operating system layer, via a collision resistant cryptographic function; 

recordin g, at the kernel layer, state changing administrative actions performed on 
the system in a log, the state changing administrative actions comprising one or more of: 
an installation of kernel modules and an alternation of system run-level codes; 

prior to performing each state changing administrative action, at the kernel layer, 
generating a new secret by performing the cryptographic function on a combination of 
data indicative of the administrative action and the previous secret, and-erasing the 
previous secret , and recording the new secret in a place of the previous secret ; 

evolvin g, at the kernel layer, the initial secret based on the log to produce an 
evolved secret; 

comparin g, at the kernel layer, the evolved secret with the new secret; 

determinin g, at the kernel layer, that the system is uncorrupted if the comparison 
indicates a match between the evolved secret and the new secret; and 

determinin g, at the kernel layer, that the system is corrupted if the comparison 
indicate a mismatch between the evolved secret and the new secret, 
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wherein the cryptographic function comprises a one-way hash function and the 
hash function comprises an exponentiation function. 

9. (Previously Presented) The system as claimed in claim 8, wherein the cryptographic function 

comprises a public/private key pair. 

10. (Previously Presented) The system as claimed in claim 8, wherein the detection logic 
receives the initial secret from a system administrator. 

1 1 . (Previously Presented) A computer program element comprising computer program code 
means which, when loaded in a processor of a computer system, configures the processor to 
perform a method as claimed in claim 3. 

12. (Canceled) 

13. (Previously Presented) A program storage device readable by machine, tangibly embodying a 
program of instructions executable by the machine to perform method steps for detecting an 
attack on a data processing system, said method steps comprising the steps of claim 3. 

14. (Previously Presented) A computer program product comprising a computer usable medium 
having computer readable program code means embodied therein for causing a data processing 
system, the computer readable program code means in said computer program product 
comprising computer readable program code means for causing a computer to effect the 
functions of claim 8. 

1 5. (Currently Amended) A method for cryptographic entangling of state and administration in 
a data processing system installed on a kernel layer, the method comprising: 

initializing the system, which is installed on the kernel layer between a hardware layer 
and an operating system layer, by generating an initial secret releasing binding data; 

bindin g, at the kern el layer, the binding data to the initial secret via a collision resistant 
cryptographic function; 
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updating , at the kernel layer, the initial secret in advance of an administrative action by 
computing a new secret, the administrative action comprising one or more of: an installation of 
kernel modules and an alternation of system run-level codes; 

erasing , at the kerne l layer, the initial secret together with any information from which 
the initial secret might be derived; 

recording, at the kernel layer, the new secret in a place of the initial secret; 

recording , at the kernel layer, data indicative of the administrative action; 

permitting , at the ke r nel layer, execution of the administrative action; and 

offering, at the ker nel layer, a proof that the new secret corresponds to the initial secret as 
it has evolved according to a record of administrative actions, 

wherein the cryptographic function comprises a one-way hash function and the hash 
function comprises an exponentiation function. 

16. (Previously Presented) The method as recited in claim 15, wherein the step of offering 
retrieves the initial secret via a request for entry of the initial secret by a system administrator, 
retrieving the record of administrative actions previous stored; and 

evolving a candidate secret for the initial secret based on the record of administrative 
actions retrieved; 

comparing the candidate secret with a current secret; 

if the candidate secret matches the current secret, reporting that the data processing 
system is still in an uncorrupted state, and 

if the candidate secret does not match the current secret, reporting that the data 
processing system is in a potentially compromised state. 

17. (Previously Presented) The method as recited in claim 15, further comprising permitting 

detection of any Trojan horse within the system. 

18. (Previously Presented) The method as recited in claim 15, wherein the initial secret is 
supplied via a secure communication channel 



5 



I:\IBM\I 05\2 i 799\Amerjd\2 1799.Amendment_AfterRCE.doc 



19. (Previously Presented) The method as recited in claim 15, wherein the binding data takes 
different forms depending on an application of the data processing system, and a trust 
mechanisms associated with communication of the initial secret. 



20. (Canceled) 
21-22. (Canceled) 

23. (Previously Presented) The method as recited in claim 15, wherein the step of computing the 
new secret includes applying a one way function to a combination of a previous secret and data 
indicative of the administrative action. 

24. (New) The method as recited in claim 1 , wherein a proof of knowledge of the evolved secret 
equates to a cryptographic verification of a history of the administrative actions. 

25. (New) The method as recited in claim 8, wherein a proof of knowledge of the evolved secret 
equates to a cryptographic verification of a history of the administrative actions. 



6 



I:\1BM\ i 05\2 1799\Amend\2 1 799. Amendment jWterRCRdoc 



